Updated docs

AB-xdev · AB-xdev · commit 62044583383a · 2025-10-07T09:10:12.000+02:00
diff --git a/web-sidecar-common/README.md b/web-sidecar-common/README.md
@@ -75,3 +75,10 @@ It's main use-case is to prevent the requests from reaching the main application
 ### Error page compatibility
 
 Ensure that registered Web-Server error pages are accessible.
+
+### HTTP Security
+
+Controls how Security Matchers are applied to Sidecars.
+
+By default, it ALWAYS uses `PathPatternRequestMatcher` instead of the internally used `MvcRequestMatcher (deprecated)` (or `AntPathRequestMatcher` if MVC is not present) when calling `HTTPSecurity#securityMatcher(String...)`.
+This prevents unexpected bugs that can occur when a url mapping (e.g. `/2025/*`) is registered for a servlet, which can result in unwanted paths being picked up (e.g. `/2025/actuator`).
diff --git a/web-sidecar-common/src/main/java/software/xdev/sse/web/sidecar/httpsecurity/package-info.java b/web-sidecar-common/src/main/java/software/xdev/sse/web/sidecar/httpsecurity/package-info.java
@@ -19,9 +19,10 @@
  * #securityMatcher(org.springframework.security.web.util.matcher.RequestMatcher)} is applied for sidecars.
  * <p>
  * By default, it ALWAYS uses {@link org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher}
- * instead of the internally used <code>MvcRequestMatcher (deprecated)</code>. This prevents unexpected bugs that can
- * occur when a url mapping (e.g. <code>/2025/*</code>) is registered for a servlet, which can result in unwanted paths
- * being picked up (e.g. <code>/2025/actuator</code>).
+ * instead of the internally used <code>MvcRequestMatcher (deprecated)</code> (or <code>AntPathRequestMatcher</code>
+ * if MVC is not present) when calling <code>HTTPSecurity#securityMatcher(String...)</code>. This prevents unexpected
+ * bugs that can occur when a url mapping (e.g. <code>/2025/*</code>) is registered for a servlet, which can result
+ * in unwanted paths being picked up (e.g. <code>/2025/actuator</code>).
  * </p>
  * <p>
  * <i>This package is only designed to be used in Sidecars and not in the main application!</i>
diff --git a/web/README.md b/web/README.md
@@ -31,3 +31,13 @@ public MainLayout {
   }
 }
 ```
+
+### HSTS
+
+Configures HSTS, automatically picked up by sidecars for configuration.
+
+Spring Boot has HSTS <a href="https://docs.spring.io/spring-security/reference/features/exploits/headers.html#headers-hsts">enabled by default</a> which means that it always checks if a request is secure or not. If the request is determined to be secure it injects an HSTS header. This is unnecessary as HSTS is nearly always handled by the reverse proxy upstream that also handles certificates.
+
+The default implementation therefore disables HSTS when
+* it was explicitly disabled in the config
+* no SSL configuration is present

Original file line number	Diff line number	Diff line change
`@@ -31,3 +31,13 @@ public MainLayout {`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`	```
	`34`	`+`
	`35`	`+### HSTS`
	`36`	`+`
	`37`	`+Configures HSTS, automatically picked up by sidecars for configuration.`
	`38`	`+`
	`39`	`+Spring Boot has HSTS <a href="https://docs.spring.io/spring-security/reference/features/exploits/headers.html#headers-hsts">enabled by default</a> which means that it always checks if a request is secure or not. If the request is determined to be secure it injects an HSTS header. This is unnecessary as HSTS is nearly always handled by the reverse proxy upstream that also handles certificates.`
	`40`	`+`
	`41`	`+The default implementation therefore disables HSTS when`
	`42`	`+* it was explicitly disabled in the config`
	`43`	`+* no SSL configuration is present`